Quantum secret sharing for general access structures 
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Abstract 

We explore the conversion of classical secret-sharing 
schemes to quantum ones, and how this can be used 
to give efficient QSS schemes for general adversary 
structures. Our first result is that quantum secret- 
sharing is possible for any structure for which no 
two disjoint sets can reconstruct the secret (this was 
also proved, somewhat differently, in To obtain 
this we show that a large class of linear classical SS 
schemes can be converted into quantum schemes of 
the same efficiency. 

We also give a necessary and sufficient condiion 
for the direct conversion of classical schemes into 
quantum ones, and show that all group homomorphic 
schemes satisfy it. 



1 Introduction 

A classical secret sharing scheme is a (usually) ran- 
domized encoding of a secret s into a n-tuple, the co- 
ordinates of which are each given to different players 
in the player set P. The encoding is a secret sharing 
scheme if there exists a collection A of subsets of P 
(called the adversary structure) such that no set of 
players in A gets any information about s from their 
shares, but any set of players not in A will be able 
to compute .s. The classic example of this is due to 
He gives a construction based on poly- 
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noniials over a finite field of a threshold secret-sharing 
scheme for any threshold t and any number of players 
(in such a scheme, A ^ {B C P : \B\ < t}). 

The idea of sharing quantum secrets was first de- 
scribed and solved for the case t = 1, n = 2 by Hillery 



et al. 



|[]. A more general solution, for alH > 2. - 
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*Work done while author was at McGill University, Mon- 
treal. Supporled by an NSERC undergraduate research grant. 

^In fact, |p| shows how efficency can be gained in the in- 
secure channels model by combining the key distribution and 
secret-sharing layers of the protocol. An even more efficient 
protocol was suggested in [nx|]. 



was recently given by Cleve et al. (CGL, Their 
scheme is a direct generalization of the well-known 
Shamir scheme , with all calculations done unitar- 
ily and "at the quantum level" , i. e. replacing random 
choices with equal superpositions over those choices. 

In next section we give definitions and back- 
ground. In section 3, we then prove that classical 
linear secret-sharing schemes, with an appropriate 
adversary structure, can be converted into quantum 
schemes with the same complexity, both in terms of 
share size and encoding/reconstruction. This gives 
another proof of theorem 8 from |^] . In the last sec- 
tion, we give a necessary and sufficient condition for 
(not necessarily linear) classical SS schemes to become 
quantum ones when run at the quantum level, and ob- 
serve that all group homomorphic schemes obey this 
condition. 



2 Preliminaries 

2.1 Adversary structures 

Given a set of players P, an adversary structure 
A over P is a set of subsets of players which is 
downward-closed under inclusion: 

{B eA and B' CB) =^ B' e A. 

Normally such a structure is used to represent the 
collection of all coalitions of players which a given 
protocol can tolerate without losing security: as long 
as the set of cheating players is in A, the cheaters 
cannot breach the security of the protocol. 

Secret-sharing schemes usually tolerate threshold 
structures, which are of the form A = {B C P : \B\ < 
t} for some t. However, when working with more gen- 
eral structures, the following definitions prove useful. 

Definition 1 An adversary structure A 2^ is 
if no two sets in A cover P, that is 

^Bi,B2eA: BiLlB2=P. 
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Definition 2 The dual of an adversary structure A 
over P is the collection 

A* = {BCP:B'' (^A} 
where i?^ denotes the complement P ~ B. 

Definition 3 A structure A over P is Q^* if its dual 
A* is . This means that any two sets not in A will 
have a non-empty intersection. 

It is interesting to note that ^ is Q'^ iff ^ C 
Dually, A is Q^* iff ^ 3 Consequently, a collec- 
tion is self-dual iff it is both Q"^ and Q^*. 

2.1.1 Monotone functions 

We can define a partial order on {0, 1}" by the rule 
"x < y iff each coordinate of x is smaller than the 
corresponding coordinate of y." 

By identifying {0, 1}" with 2^^'- - the relation < 
on {0,1}" corresponds to inclusion (C) in 2^^' ' '"^. 
Then a monotone function / corresponds to a func- 
tion from 2^i- -"> to {0,1} such that A C B =^ 
fiA) < f{B). 

Such a monotone function / naturally defines an 
adversary structure Af = /^^({O}) ~ {B ^ P : 
f{B) = 0}. Moreover, / is called (resp. Q^*) iff 
Af is Q2 (or Q^*). 

2.2 Monotone span programs 

Span programs were introduced as a model of com- 
putation in pi. They were first used for multiparty 
protocols in ^ under this name, although a similar 
construction, attributed to Brickell, already existed 
([p^). In this section we define some concepts re- 
lated to monotone span programs. 

Definition 4 A monotone span program (MSP) 

over a set P is a triple {K, M, tp) where K is a finite 
field, M is a dxe matrix over K andip : {1, . . . , d} — > 
P is a function which effectively labels each row of M 
by a member of P. 

The MSP associates to each subset B C P a, subset 
of the rows of M: the set of rows I such that G B. 
This corresponds to a linear subspace of K'^ (the span 
of those rows). The monotone function f : 2^ ^ 
{0, 1} defined by a MSP is given by the rule "f{B) = 
1 if and only if the target vector e — (1, 0, 0, . . . ,0) 
is in the subspace associated with i?" . If we denote 
by Mb the submatrix of M formed of the rows I such 
that tp(l) £ B then we get that 



f{B) = 1 



e e Im{Ml). 



In fact, given any monotone function /, we can 
construct a MSP which computes it. The size of the 
MSP will be at most proportional to the size of the 
smallest monotone threshold formula for /, but may 
in some cases be exponentially smaller ||. 

The proof uses the following fact from linear alge- 
bra. Here the dual of a vector subspace W is denoted 
= {\i: u^w = Vw e W}. 



Remark: Denote the dual of a vector subspace W 
by = {vl: u^w = Vw G W}. For any 
matrix M we have Im{M^) = ker{M)^. Thus, 
f{B) = iff 3v : M_BV = and e^v ^ 0. 

2.2.1 Secret-sharing from MSP's 

Given a MSP {K,M,ip), we can define a classical 
secret sharing scheme which tolerates the adversary 
structure Af induced by the MSP. Say the dealer has 
a secret s G K. He extends it to an e-rowed vector 
by adding random field elements 02 , . . . , to make 
a vector s, — (5,02,... ,ae). The dealer gives the 
Zth component of § = Ms, to player P^(i)- If sa 
denotes the elements of s with indices in A where 
j4 C {1, . . . , d}, then each Pi receives s^-i(i). 

The SS scheme thus defined tolerates exactly the 
adversary structure Af. 

Note that the concept of MSP's is very general: any 
linear secret-sharing scheme (i.e. one in which the 
encoding of the secret is given by a linear map over a 
field) can be formulated as a MSP-based scheme 
The Shamir scheme is a special case, where M is a 
n X (/c + 1) Vandermonde matrix, e — k + I, d — n, 
and 4' is the identity on {1, . . . , n}. 

2.3 Secret sharing with general access 
structures 

With classical data, secret sharing is possible for any 
access structure. Given a monotone threshold for- 
mula for a function /, Benaloh and Leichter gave 
a construction for Af with efficency proportional to 
the size of the formula. This is improved on by con- 
structions based on monotone span programs (sec- 
tion 2.2.1 ), which are always at least as efficient 
as the Benaloh-Leichter scheme but can be super- 
polynomially more so. 

When sharing quantum data, the situation is 
slightly different. Because of the no-cloning theo- 
rem, it is impossible to share secrets with an adver- 
sary structure which is not Q^* (since then one can 
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find two disjoint sets which can reconstruct the se- 
cret based on their shares). Because a pure-state QSS 
scheme is also a quantum code correcting erasures on 
the sets described by its adversary structure, we also 
get that any pure-state QSS scheme has an adversary 
structure which is in fact self-dual |^. The natural 
converse to this is 

Theorem 1 Given any Q^* structure A, we can find 
a QSS scheme for A. If A is self-dual, then the 
scheme can he a pure-state one. 

This was proved for the case of threshold structures 
in Q: their construction works when the number of 
cheaters t is more than § — 1 (i- e. it takes more 
than ^ players to reconstruct the secret). Moreover, 
theirs is a pure-state scheme when n = 2i + 1 (these 
correspond to the Q^* and self-dual conditions, re- 
spectively). 

The full theorem was stated but not proved in [Q. 
We give a proof here, based on monotone span pro- 
grams. Another proof, due to Daniel Gottesman and 
based on purification of quantum superoperators, ap- 
peared in 0. 

3 Quantum secret-sharing from 
classical linear schemes 

We assume that the reader is familiar with the nota- 
tion and basic concepts of quantum computing. For 
clarity, we will ignore normalization factors. 

3.1 Pure-state linear QSS 

Cramer et al. pointed out that any linear secret- 
sharing scheme can be realized as a MSP-based 
scheme. In this section, I show that any MSP 
with adversary structure A gives rise to a quantum 
erasure-correcting code for erasures occuring on any 
set of positions in ^n^*. In the case where A is self- 
dual, this yields a pure-state quantum secret-sharing 
scheme for A. 

The idea is the same as that for the CGL scheme 
g. First choose a MSP, say {K,M,ij). Note that 
WLOG all e rows of M are linearly independent and 
so we can extend M to an invertible dx d matrix M' . 
We can construct a quantum circuit M implementing 
multiplication by M' and thus encode a basis state 
|s), for s £ K, as 



M Ms)® |ai---ae-i) ® I0---0) 

^ s IK:)) 

(The expression (°) denotes the column vector ob- 
tained by adjoining s to the beginning of the vector a). 

This scheme can be extended by linearity to ar- 
bitrary states — J2seK^s \s). The pieces of the 
encoded state are then distributed according to the 
function ip. We have: 

Theorem 2 Let [K^M^ip) he a MSP with a.s. A. 
Then the encoding above is corrects erasures on any 
set of positions in An A* . 

To prove this, we need to show for any set B which 
is in A but whose complement is not, the players 
in A can reconstruct the encoded data. We give a 
reconstruction procedure. The proof consists of the 
two following lemmas. 

First we show the existence of certain vectors used 
in the reconstruction process. 

Lemma 3 Let {K,M,ip) he a MSP with a.s. A. 
Suppose BeAnA* (i.e. A = P - B is in A). Then 
there exists an invertihle linear transformation U on 
the shares of A such that after the transformation, 

L the first share contains the secret s; 

2. all remaining shares, including those of players 
in B, are distributed independently of s when the 
e — 1 other components of are chosen at ran- 
dom. 

Proof: Say A contains m shares. Then we 
must construct m linearly independent vectors 
Ui, U2, . . . , u„i such that 

1. uJMaO^s; 

2. If U' is the matrix with rows given by 
U2, . . . , u„i, then the value 

(m:^)(:) 

is distributed independently of s. 

To satisfy the first condition, pick any Ui such 
that ul Ma = e^. Such a vector must exist since 
by hypothesis the players in A can reconstruct 
the secret. 
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To satisfy the second condition, it's enough to 
ensure there exists v such that 



(U'Ma\ 
Mb 



= 



and e^v ^ (see section 2.2). 

Since -B e we know that there is a v such 
that e^v 7^ and Af^v = 0. Furthermore, the 
subspace W — {u ^ K"^ : u^M^v = 0} has 
dimension m — 1, and Ui is not in that space 
since u^Af^v = e^v ^ 0. Hence any basis 
{u2, . . . , Um} of W wiU do. 

The matrix U whose rows are given by the u^'s 
gives the desired transformation. Note that the 
U doesn't depend on a. □ 

Finally we show that the reconstruction process 
works: 

Lemma 4 Let [K, M, ^) he a MSP and let B e An 
A* , A = P — B. Suppose a quantum state \4>) = 
'^seK^s |s) is encoded as described at the beginning 
of this section. Then the shares in A can be used to 
reconstruct \(t>) . Consequently, no information on |0) 
can be obtained from the shares in B. 

Proof: Consider the case when |0) = |s) for some 
s £ K. Then the encoded state can be written 



E 



Construct a quantum circuit for the map b i — > 
Uh, where U is constructed as in lemma ^. De- 
note by U' the matrix obtained by removing the 
first row of U. Applying the circuit for U only 
to the components of the encoded state corre- 
sponding to A, we get 



E 



UMa 



U'Ma 



M 



However, by construction the joint distribution 
of U' Ma{^^ and Mb{^^ is independent of s when 
a is chosen uniformly at random (lemma |^). 
Hence, for an arbitrary state |(/)) this procedure 
yields 



U'Ma 



By a strong form of the no cloning theorem, the 
correctness of the reconstruction implies that the 
shares of B give no information at all on \(f>). □ 



(This completes the proof of theorem ||). 

When the adversary structure A defined by a MSP 
is , we have A A* . Hence, the previous theorem 
shows that erasures on any set of coordinates in A can 
be corrected. In addition, if A is self-dual (i. e. both 
and Q^*) then the qualified sets are precisely the 
complements of sets in A and hence every qualified 
set can reconstruct the secret but no unqualified set 
gets any information on it. Thus we have shown the- 
orem |l| for the case of self-dual structures. 

3.2 Mixed-state linear QSS 

To handle structures which are simply Q^* , we follow 
the strategy of Q : first extend to a self-dual structure 
and then "trace-out" the new share (s). 

To extend a structure A over a player set P, add a 
new player to P (say r): 

Lemma 5 For any Q^* adversary structure A over 
a player set P , the structure A! over the set P' — 
P U {r} given by 

A' = AU {BU{t} : B e A*} 

is self-dual and its restriction to P yields A. 

Proof: Elementary, using the fact that 
A is Q2* A* CA. □ 

Thus, a pure-state QSS scheme for A' will yield a 
mixed-state scheme for A by throwing out the share 
corresponding to r. For the construction to be effi- 
cient, we need the following: 

Lemma 6 Given a MSP for A, an MSP for A' can 
be efficiently constructed. 

Proof: Note that the new access structure is F' = 
T U {B U {t} : B e T*} (here F,F*,F' are the 
complements of A, A*, A' resp.). Thus if /, /*, /' 
are functions detecting membership in A, A* , A' 
respectectively, and if detects the presence of 
T in a set, then /' = / V (/* A fr). 

Now to construct the desired MSP, first obtain 
an MSP for A* according to [|. The MSP for 
A' can then be constructed by composition from 
MSP's calculating and and OR. □ 

The resulting MSP is at most a constant times the 
size of the original. 
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4 QSS from classical SS 

A natural conjecture given the results of the previous 

section is that any classical secret-sharing scheme for 
an adversary structure will give a quantum erasure- 
coorecting for erasures in Ad A*. I show here a con- 
dition on the scheme for this to be the case. Not all 
schemes satisfy the condition, though a large class of 
them does, in particular group-homomorphic ones. 

The corollary to this, as before, is that when A 
is self-dual, the resulting quantum scheme is a QSS 
scheme for A. Note that the main difference between 
the proof we give here and that of the preivous section 
is that here we don't guarantee that the reconstruc- 
ton procedure is efficient, only that it exists and is 
unitary. 

4.1 A general condition 

A classical secret sharing scheme can be thought of 
as a probabilistic map E from a secret space S into n 
"share spaces" yi,... The random input can 

be modeled as a choice from some set TZ with a 
given probability distribution. Now consider some 
set U G An A* and let Q = f/° be its complement 
{Q is qualified). Let S be the random variable cor- 
responding to the secret and let and Yq be those 
corresponding to the shares in U and Q respectively. 
Denote their concatenation E{S) = Y = Y^Yq. Fi- 
nally, let yu , yq be the share spaces for U and Q and 
let 3^ = X iVg be the global share space. 

Note that for the SS scheme to be perfect we must 
have 

Correctness: H{S\Yq) = 0. Equivalently, S = 
fiYq) for some deterministic function /. 

Secrecy: I{S;Yu) = 0. Equivalently, P(y„ = 
yu\S = s) = P{Yu = yu\S = s') = P{Yu = 
Vu) Vs, s' G S. 

Suppose now we have a quantum secret which is a 
linear superposition of shares in <S and a unitary map 
E such that for s € 5: 



E\s) = Y,^P{Y = y\S = s) \y) 

yey 

This can in fact be rewritten as 



E \/P(Yq=yq\S = s)\yq) 
Vg-f{yg)=s 



J2 ^P{yu = yu\Yq = yq)\yu) 



We want to decide if this is can correct erasures on 
U . To do so requires showing that the density matrix 
of the U component is independent of the secret's 
state. Note that it is not sufficient to show that the 
density matrix is the same for all | s) . We have to show 
this for all choices of the a^'s in X^ses |s). We can 
compute the density matrix explicitly by imagining 
that a measure is made on the Q component of the 
code and the secret. We can then consider P{S = 
s) to be |asp. In what follows Pu\yg is the density 
matrix of U given Yq = yq. 



Pu 



El"«l' E P{Yq=yq\S=s)pu\y, 

E ^(n = 2/«)- 

Vq<^yq 



E ^P{Yu = y\l\Yq = yq) 



y^u'^ey-a 



f E ^Jpiyu = y^:\y.=y.){y'^M 
= \lp{yu = y^^\Yq = yq). 

^P{Yu = y'i\Yq=yq) (y\ 
The matrices in the set 

[\y^'){y^\-y';^\y'S'^yu] 

are linearly independent. Their coefficients are 



E \JP{yu = y^u\y, = %)P(i^„ = y^u\Y^ = %) 



Vq^yq 



= Ei"^i' E \lp{yu = y^u\y, = y,\s = s) 

se-S Vq-f{Vq)=S 

^P{Yu = y^u\y, = ya\S = s) 

For /3„ to be independent of the choice of we must 
therefore have 



E \IP{yu = y''u\y, = y,\S = s) 

\]p{yu = y^u\y^ = yq\S = s) (1) 



yq-f{Vq) = S 



5 



independent of s for all y{}\y^'^ G J^^. Thus 

Theorem 7 Given a classical SS scheme for an 
adversary structure A, the correspnding quantum 
scheme corects erasures on U £ ^ fl iff Equa- 
tion ^ is independent of s for all yu \ yu'^ G J^u- 

As unnatural as this condition seems, it is nonethe- 
less satisfied by many SS schemes: 

• If y„ is a function of Yq (as is the case in the 
Shamir scheme) then we have the expression (|l|) 
equal to whenever y^^ ^ yu'^- Furthermore, 
when y^^ = y^u^ — y-a the expression reduces to 

T.y,:f(y,)=sPO^u = yu,Yq = yq\S = s), which 

sums to P{Yu = yu\S — s). This is independent 
of s by the secrecy assumption above. Thus this 
type of scheme yields a secure QSS. 

• A group homomorphic secret sharing scheme is 
based on an injective homomorphism h : G x 
G"" — > G" for some group G. The secret s is 
an element of G and the n shares are obtained 
by picking v G™ and calculating /i(s,v). 

In this case, the independence of expression (|l|) 
from s is guaranteed by the following fact: in 
any homomorphic SS scheme, either two words 
y'u^ , yu"^ never appear with the same word yq 
(that is 

P(r„ = y^^^\Yq - yq)P{Y,, = y^^^\Yq = yq) = 

for all yq) or they always appear with the same 
probability: 

\/p(Y, = yi'^\Yq = yq)P{Y, = y^^^\Yq = yq) 
= P{Y^^yi^)\Yq^yq). 

The same analysis as before applies: QSS schemes 
constructed from homomorphic schemes are se- 
cure. Interestingly, there seem to be no cases 
where non-homomorphic schemes provide any 
advantage over homomorphic ones |]l3| . 

Thus, it seems that although not all classical SS 
schemes yield a QSS scheme directly, the most impor- 
tant ones do. However, the proof given does not give 
the reconstruction procedure; it only proves its ex- 
istence. It is not a priori clear that all classical SS 
schemes which yield a secure QSS scheme will have 
efficient (quantum) reconstruction procedures. 
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